| Commit message (Collapse) | Author | Age |
|---|
| |\
| |
| | |
feature: firecfg: add firecfg.d & add ignore command
|
| | |
| |
| |
| |
| |
| | |
As suggested by @WhyNotHugo[1].
[1] https://github.com/netblue30/firejail/issues/2097#issuecomment-1179160459
|
| | |
| |
| |
| |
| |
| | |
Fix the list generation and run `make syntax`.
Relates to #5627.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
That is, replace `paths-ignore` with `paths`.
This should reduce the number of unnecessary workflow executions and the
frequency at which paths are changed. It also reduces the overall
number of paths used.
Also, add the missing ci/printenv.sh to the path whitelists.
|
| |\ \
| | |
| | | |
build: add missing makefile dep & syntax improvements
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Escape `.` only when generating the syntax files rather than directly in
the syntax lists, so that the latter contain the command names as is.
This also makes the escaping apply to the arg1 syntax list as well.
Note: Double escaping (`\\\\.`) is used in `regex_fromlf` because its
output is used in another sed replacement (where it needs to be `\\.`).
Relates to #5627.
|
| | | |
| | |
| | |
| | | |
Relates to #5627.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Make the non-phony targets that are defined in the root Makefile depend
on it, to ensure that they get re-generated if their recipes change.
Note that these targets are generated nearly instantly, so this should
not noticeably affect rebuild times.
Relates to #5627.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Ignore only third-party/vendored files (such as license files and files
in m4/).
And ignore more words to fix the following errors:
$ make codespell
Running codespell...
./README:484: als ==> also
./README:646: Shotcut ==> Shortcut
./RELNOTES:516: als ==> also
./etc/inc/disable-common.inc:506: chage ==> change, charge
./etc/apparmor/firejail-default:35: readby ==> read, read by
./etc/apparmor/firejail-default:36: readby ==> read, read by
./etc/profile-a-l/als.profile:1: als ==> also
./etc/profile-a-l/als.profile:5: als ==> also
make: *** [Makefile:374: codespell] Error 65
$ codespell --version
2.2.5
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It works just fine without it (at least for the files in src/).
Note that by default codespell does not warn about binary files ("The
default mask is 34"):
$ make -j "$(nproc)" >/dev/null
$ make codespell
codespell --ignore-regex "UE|creat|doas|ether|isplay|shotcut" src test
$ codespell --version
2.2.5
$ codespell --help
[...]
-q QUIET_LEVEL, --quiet-level QUIET_LEVEL
bitmask that allows suppressing messages:
- 0: print all messages.
- 1: disable warnings about wrong encoding.
- 2: disable warnings about binary files.
- 4: omit warnings about automatic fixes that were
disabled in the dictionary.
- 8: don't print anything for non-automatic fixes.
- 16: don't print the list of fixed files.
- 32: don't print configuration files.
As usual with bitmasks, these levels can be combined;
e.g. use 3 for levels 1+2, 7 for 1+2+4, 23 for
1+2+4+16, etc. The default mask is 34.
Also, note that adding many ignore patterns (such as all of the ones in
.gitignore) makes it slower than letting codespell find and skip binary
files by itself. So just add the most common ones, which do not
noticeably change how fast codespell runs either but they do reduce the
noise when running with `-q 0`.
Homepage: https://github.com/codespell-project/codespell
Added on commit d78fc96ee ("codespell github action", 2023-03-05).
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes the following errors:
$ make codespell
[...]
codespell --ignore-regex "UE|creat|doas|shotcut|ether" src test
src/firemon/procevent.c:188: duble ==> double
src/fnettrace/main.c:30: postive ==> positive
src/fnettrace/main.c:30: defiend ==> defined
src/fnettrace/main.c:482: isplay ==> display
make: *** [Makefile:371: codespell] Error 65
$ codespell --version
2.2.5
Added in the following commits:
* bef5d86a1 ("increase socket buffer size for firemon, bug #2700",
2019-09-29)
* c4962789f ("nettrace stats", 2023-08-08)
|
| |
|
|
|
|
|
| |
This removes the need to manually pass variables such as `$(TARNAME)`
and `$(VERSION)` to shell scripts in the root Makefile.
Relates to #5140.
|
| |\
| |
| | |
build: dist and asc improvements
|
| | |
| |
| |
| |
| |
| | |
Similarly to mkdeb.sh.
Relates to #5140.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The clean target is currently enough to remove all generated files other
than the ones directly in the root directory, so to simplify the dist
target, make it depend on clean instead of distclean.
See commit 5f2785290 ("build: remove unnecessary distclean targets",
2023-07-15) / PR #5911.
Relates to #5142 #5182.
|
| | |
| |
| |
| |
| | |
The only other svn-related code seems to have been removed on commit
7e1c057ae ("make testing", 2016-04-23).
|
| | | |
|
| | | |
|
| |/ |
|
| |
|
|
| |
This also fixes the duplicate execution of the "clean" targets.
|
| |
|
|
|
|
|
| |
Use the `$(MAKE)` macro to ensure that the same make program is used in
the recursive invocation.
Note: Most recursive calls already use `$(MAKE)`.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commands used to find the relevant paths in /etc:
$ pacman -Qo /etc/* 2>/dev/null | grep sudo | LC_ALL=C sort
/etc/pam.d/ is owned by sudo 1.9.14.p1-1
/etc/sudo.conf is owned by sudo 1.9.14.p1-1
/etc/sudo_logsrvd.conf is owned by sudo 1.9.14.p1-1
/etc/sudoers is owned by sudo 1.9.14.p1-1
/etc/sudoers.d/ is owned by sudo 1.9.14.p1-1
Environment: Artix Linux.
Also, add missing paths sudo/doas to etc/ids.config and jailcheck.
See also commit dbebd71db ("disable-common.inc: blacklist doas binary",
2022-10-05).
Relates to #5385.
Reported-by: Dieter Plaetinck <dieter@plaetinck.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Simplify the main targets and use wildcards instead of repeating the
filenames manually.
Also, restore the `man` target and building only when `HAVE_MAN` is
enabled.
Note: Make automatically removes intermediate files (.1 and .5), so in
general only the .gz files have to be cleaned.
Commands used to rename the man pages:
cd src/man
git mv firecfg.txt firecfg.1.in
git mv firejail-login.txt firejail-login.5.in
git mv firejail-profile.txt firejail-profile.5.in
git mv firejail-users.txt firejail-users.5.in
git mv firejail.txt firejail.1.in
git mv firemon.txt firemon.1.in
git mv jailcheck.txt jailcheck.1.in
This is kind of a follow-up to commit 9e206b7f2 ("rework src/man
Makefile", 2023-07-07).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This partially reverts commit 2b34747db ("generate seccomp filters at
install time", 2023-07-07). See also commit 6fa19aab9 ("feature: use
seccomp filters build at install time for --restrict-namespaces",
2023-07-12).
The seccomp filters were always being built because
src/fseccomp/fseccomp (and other programs) are in `$(ALL_ITEMS)`, which
is incorrectly marked as phony. This commit fixes that and restores the
previous target logic, for consistency with the other targets and so
that the seccomp filters are made at build time rather than at install
time.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
To reduce the amount of boilerplate in the makefiles.
This amends commit 9789c263a ("build: disable all built-in implicit make
rules", 2023-06-21) / PR #5864.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use `make -r` to reduce unnecessary filesystem lookups.
Overall, this appears to reduce the amount of implicit rule searches by
~93.3% (~97.5% compared to a8f01a383) for the default build and by
~83.3% (~99.3% compared to a8f01a383) for the "man" target (as an
example):
$ git show --pretty='%h %ai %s' -s
a8f01a383 2023-06-20 05:26:23 +0000 Merge pull request #5859 from kmk3/build-remove-retpoline
$ ./configure >/dev/null
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
6798
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
1085
# (in the previous commit)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
2535
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
42
# (with this commit applied)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
170
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
7
Environment: GNU make 4.4.1-2 on Artix Linux.
Note: According to make(1p) in POSIX.1-2017, "If .SUFFIXES does not have
any prerequisites, the list of known suffixes shall be cleared.", while
"The result of setting MAKEFLAGS in the Makefile is unspecified."
Commands used to search and replace:
$ git ls-files -z -- '*Makefile*' | xargs -0 -I '{}' sh -c \
"printf '%s\n' \"\$(sed -E \
's/^(.SUFFIXES:)/\1\nMAKEFLAGS += -r\n/' '{}')\" >'{}'"
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clear `.SUFFIXES:` to reduce unnecessary filesystem lookups.
Overall, this appears to reduce the amount of implicit rule searches by
~62% for the default build and by ~96% for the "man" target (as an
example):
$ git checkout master >/dev/null 2>&1
$ git show --pretty='%h %ai %s' -s
a8f01a383 2023-06-20 05:26:23 +0000 Merge pull request #5859 from kmk3/build-remove-retpoline
$ ./configure >/dev/null
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
6798
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
1085
# (with this commit applied)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
2535
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
42
Environment: GNU make 4.4.1-2 on Artix Linux.
Commands used to search and replace:
$ git ls-files -z -- '*Makefile*' | xargs -0 -I '{}' sh -c \
"printf '%s\n' \"\$(sed '1s/^/.SUFFIXES:\n/' '{}')\" >'{}'"
See also commit f48886f25 ("build: mark most phony targets as such",
2023-02-01) / PR #5637.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The -mretpoline flag is not documented in the current versions of gcc
and clang and it is what causes scan-build to fail:
$ ./configure CC=clang | grep retpoline
checking whether C compiler accepts -mretpoline... yes
EXTRA_CFLAGS: -mretpoline -fstack-clash-protection -fstack-protector-strong
$ scan-build --status-bugs make
scan-build: Using '/usr/bin/clang-15' for static analysis
make -C src/lib
make[1]: Entering directory '/tmp/firejail/src/lib'
/usr/bin/../lib/clang/ccc-analyzer [...] -mretpoline [...] -c common.c -o common.o
gcc: error: unrecognized command-line option ‘-mretpoline’
make[1]: *** [../../src/prog.mk:16: common.o] Error 1
make[1]: Leaving directory '/tmp/firejail/src/lib'
make: *** [Makefile:59: src/lib] Error 2
scan-build: Analysis run complete.
scan-build: Removing directory '/tmp/scan-build-[...]' because it contains no reports.
scan-build: No bugs found.
Environment: clang 15.0.7-9 and gcc 13.1.1-1 on Artix Linux.
Note: NO_EXTRA_CFLAGS was added to work around this issue by causing all
of the flags in EXTRA_CFLAGS to be ignored.
Note2: -mretpoline was added on commit 4a99c8aa2 ("spectre support for
clang compiler", 2018-03-30) and NO_EXTRA_CFLAGS was added on commit
490918c35 ("fix make scan-build for debian 10 and arch", 2019-07-22).
See also commit 2c64d1fdd ("use AX_CHECK_COMPILE_FLAG to check for
spectre flags", 2019-06-21).
Closes #5509.
Kind of relates to #2661.
|
| |
|
|
|
| |
See commit f48886f25 ("build: mark most phony targets as such",
2023-02-01) / PR #5637.
|
| |
|
|
|
|
|
| |
To make debugging easier.
Use a separate shell script instead of just a make target to ensure that
it can safely run before ./configure and without having make installed.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |\
| |
| | |
build: deb: enable apparmor by default & remove deb-apparmor
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The official .deb package is always built with apparmor support, so use
`--enable-apparmor` in mkdeb.sh and remove the "deb-apparmor" target in
order to reduce redundancy.
Note that custom configure options may be specified by calling
./mkdeb.sh directly.
For example, to build the .deb package without apparmor support, instead
of running `make deb`, the following commands can be used:
make dist
./mkdeb.sh --disable-apparmor
Also, change the `build_apparmor` GitLab CI job into
`build_no_apparmor`, which is intended to check that building without
apparmor still works.
Note: This commit makes the resulting .deb package not have an
"-apparmor" suffix (see `EXTRA_VERSION` in mkdeb.sh), to avoid
redundancy (as having apparmor support becomes the default).
Misc: This is a follow-up to #5654.
Relates to #5154 #5176 #5547.
|
| |\|
| |
| | |
build: mkdeb.sh: pass all arguments to ./configure
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Instead of using the first argument as the `EXTRA_VERSION` variable.
This should make the usage of mkdeb.sh less confusing, especially when
one is not trying to set the variable.
As for using `EXTRA_VERSION` (which is still optional with this commit),
make sure that it is set as an environment variable before caling
mkdeb.sh. Example:
env EXTRA_VERSION=-apparmor ./mkdeb.sh --enable-apparmor
See also commit 9a0fbbd71 ("mkdeb.sh.in: pass remaining arguments to
./configure", 2022-05-13) / PR #5154.
|
| | | |
|
| | | |
|
| |/ |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To improve clarity and to prevent unnecessary filesystem lookups.
Overall, this appears to reduce the amount of implicit rule searches by
~4% for the default build and by ~12% for the "man" target (as an
example):
$ git checkout master >/dev/null 2>&1
$ git show --pretty='%h %ai %s' -s
b55cb6a80 2023-01-31 18:56:42 -0500 testing
$ ./configure >/dev/null
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
7101
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
1239
# (with this commit applied)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
6793
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
1085
Environment: GNU make 4.4-1 on Artix Linux.
Note: The amount lines printed is the same on non-parallel builds (that
is, without `-j 4`).
See commit 2465f9248 ("makefiles: make all, clean and distclean PHONY",
2021-02-12) / PR #4024 for details.
Note: By "most phony targets" I mean all non-path targets except for the
testing targets, which were being changed recently (for example, the
"test-github" target) and so might still be under development.
|
netblue30
Kelvin M. Klann