From 5247a6c7b5820197d26e19064d4ef0ff4edc41a1 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Wed, 25 May 2022 11:42:54 -0300 Subject: mkdeb.sh.in: remove unused PACKAGE_TARNAME/TOP vars PACKAGE_TARNAME was added on commit 87e7b3139 ("Configure Debian package with AA and SELinux options", 2020-05-13) / PR #3414. TOP was added on commit ed4a24ce7 ("porting make deb-apparmor from LTS build", 2019-01-26). --- mkdeb.sh.in | 2 -- 1 file changed, 2 deletions(-) diff --git a/mkdeb.sh.in b/mkdeb.sh.in index 6d6981417..a18ff8021 100755 --- a/mkdeb.sh.in +++ b/mkdeb.sh.in @@ -9,7 +9,6 @@ set -e NAME=@PACKAGE_NAME@ VERSION=@PACKAGE_VERSION@ -PACKAGE_TARNAME=@PACKAGE_TARNAME@ HAVE_APPARMOR=@HAVE_APPARMOR@ HAVE_SELINUX=@HAVE_SELINUX@ EXTRA_VERSION=$1 @@ -22,7 +21,6 @@ if [ -n "$HAVE_SELINUX" ]; then CONFIG_ARGS="$CONFIG_ARGS --enable-selinux" fi -TOP="$PWD" CODE_ARCHIVE="$NAME-$VERSION.tar.xz" CODE_DIR="$NAME-$VERSION" INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian" -- cgit v1.2.3-70-g09d2 From b4d0b24c533c8aebb8961bf658e3b41580b073e2 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 27 May 2022 15:10:46 -0300 Subject: fj-mkdeb.py: run distclean before ./configure This (mostly) restores the behavior from before commit 1fb814e51 ("Makefile.in: stop running distclean on dist", 2022-05-13) / PR #5142. ./configure still has to be called before calling ./contrib/fj-mkdeb.py (to generate Makefile from Makefile.in before calling `make distclean`). --- contrib/fj-mkdeb.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/contrib/fj-mkdeb.py b/contrib/fj-mkdeb.py index 60e25fd14..75fb6cbc8 100755 --- a/contrib/fj-mkdeb.py +++ b/contrib/fj-mkdeb.py @@ -29,6 +29,12 @@ def run(srcdir, args): else: escaped_args.append(shlex.quote(a)) + # Remove generated files. + if not dry_run: + distclean = subprocess.call(['make', 'distclean']) + if distclean != 0: + return distclean + # Run configure to generate mkdeb.sh. first_config = subprocess.call(['./configure', '--prefix=/usr'] + args) if first_config != 0: -- cgit v1.2.3-70-g09d2 From b6b3f3b3855f07e44431fbc70f4043431c087dc6 Mon Sep 17 00:00:00 2001 From: Hartmut Knaack Date: Sat, 28 May 2022 22:08:30 +0200 Subject: kate.profile: allow common development file access Kate has grown support for software development, making it a light IDE. Some version control modules exist, and when using the Git module, a blacklist violation is reported: blacklist violation - sandbox 13902, name kate, exe git, syscall access, path /home/user/.gitconfig Including support for common development file access mitigates this violation issue. --- etc/profile-a-l/kate.profile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile index 8c340d536..194200f4f 100644 --- a/etc/profile-a-l/kate.profile +++ b/etc/profile-a-l/kate.profile @@ -23,6 +23,8 @@ noblacklist ${HOME}/.local/share/kxmlgui5/katepart noblacklist ${HOME}/.local/share/kxmlgui5/kateproject noblacklist ${HOME}/.local/share/kxmlgui5/katesearch +include allow-common-devel.inc + include disable-common.inc # include disable-devel.inc include disable-exec.inc -- cgit v1.2.3-70-g09d2 From b2312445609f382d2a0eb1eafcaa1445c8a40ff3 Mon Sep 17 00:00:00 2001 From: Hartmut Knaack Date: Sat, 28 May 2022 22:09:15 +0200 Subject: kate.profile: enable bash completion in terminal A side effect of including disable-common.inc is loosing access to /etc/profile.d, where Bash completion is located. Explicitly enable access to console scripts in /etc/profile.d, so that Kate's built-in Konsole instance can be used without limitations. Minor side effect: the spawned Bash tries to access /etc/init.d blacklist violation - sandbox 17317, name kate, exe bash, syscall stat, path /etc/init.d --- etc/profile-a-l/kate.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile index 194200f4f..7793c3f0a 100644 --- a/etc/profile-a-l/kate.profile +++ b/etc/profile-a-l/kate.profile @@ -22,6 +22,7 @@ noblacklist ${HOME}/.local/share/kxmlgui5/kateopenheaderplugin noblacklist ${HOME}/.local/share/kxmlgui5/katepart noblacklist ${HOME}/.local/share/kxmlgui5/kateproject noblacklist ${HOME}/.local/share/kxmlgui5/katesearch +noblacklist /etc/profile.d include allow-common-devel.inc -- cgit v1.2.3-70-g09d2 From a934eb1c5d3efb417cc24e51a2cc55603bb39307 Mon Sep 17 00:00:00 2001 From: Hartmut Knaack Date: Sat, 28 May 2022 22:09:48 +0200 Subject: kate.profile: allow access to kwinrc When starting Kate, a blacklist violation from accessing the kwinrc config file is reported. As a KDE application, it should be fine for Kate to access it. blacklist violation - sandbox 13410, name kate, exe kate, syscall access, path /home/user/.config/kwinrc --- etc/profile-a-l/kate.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile index 7793c3f0a..438dfbf07 100644 --- a/etc/profile-a-l/kate.profile +++ b/etc/profile-a-l/kate.profile @@ -14,6 +14,7 @@ noblacklist ${HOME}/.config/katerc noblacklist ${HOME}/.config/kateschemarc noblacklist ${HOME}/.config/katesyntaxhighlightingrc noblacklist ${HOME}/.config/katevirc +noblacklist ${HOME}/.config/kwinrc noblacklist ${HOME}/.local/share/kate noblacklist ${HOME}/.local/share/kxmlgui5/kate noblacklist ${HOME}/.local/share/kxmlgui5/katefiletree -- cgit v1.2.3-70-g09d2 From 759b496fd242de708ac277b3bc1c39202ea7d568 Mon Sep 17 00:00:00 2001 From: Hartmut Knaack Date: Sat, 28 May 2022 22:10:02 +0200 Subject: kate.profile: drop tracelog When starting kate and loading into a session containing a git repository, tracelog caused about 30 seconds of delay until the project structure appeared in the projects sidebar. Error message on console: QProcess: Destroyed while process ("/usr/bin/git") is still running. Drop tracelog to mitigate the delay and error message. --- etc/profile-a-l/kate.profile | 1 - 1 file changed, 1 deletion(-) diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile index 438dfbf07..9eadaec12 100644 --- a/etc/profile-a-l/kate.profile +++ b/etc/profile-a-l/kate.profile @@ -52,7 +52,6 @@ novideo protocol unix seccomp shell none -tracelog # private-bin kate,kbuildsycoca4,kdeinit4 private-dev -- cgit v1.2.3-70-g09d2 From 7da1793c3b9a46fb04094fac23cb007bdb7e0073 Mon Sep 17 00:00:00 2001 From: Hartmut Knaack Date: Sat, 28 May 2022 22:12:58 +0200 Subject: seamonkey.profile: support enigmail/gpg Changes inspired by Thunderbird profile. --- etc/profile-m-z/seamonkey.profile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/profile-m-z/seamonkey.profile b/etc/profile-m-z/seamonkey.profile index e67e51620..5210a594c 100644 --- a/etc/profile-m-z/seamonkey.profile +++ b/etc/profile-m-z/seamonkey.profile @@ -7,6 +7,7 @@ include seamonkey.local include globals.local noblacklist ${HOME}/.cache/mozilla +noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.mozilla noblacklist ${HOME}/.local/share/pki noblacklist ${HOME}/.pki @@ -17,6 +18,7 @@ include disable-interpreters.inc include disable-programs.inc mkdir ${HOME}/.cache/mozilla +mkdir ${HOME}/.gnupg mkdir ${HOME}/.mozilla mkdir ${HOME}/.local/share/pki mkdir ${HOME}/.pki @@ -26,6 +28,7 @@ whitelist ${HOME}/.cache/mozilla whitelist ${HOME}/.config/gnome-mplayer whitelist ${HOME}/.config/pipelight-silverlight5.1 whitelist ${HOME}/.config/pipelight-widevine +whitelist ${HOME}/.gnupg whitelist ${HOME}/.keysnail.js whitelist ${HOME}/.lastpass whitelist ${HOME}/.local/share/pki @@ -53,3 +56,4 @@ tracelog disable-mnt # private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl +writable-run-user -- cgit v1.2.3-70-g09d2 From 9a0fbbd719b6d6c6fe46ae0f4b2e0ccd7988edcc Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 13 May 2022 23:33:20 -0300 Subject: mkdeb.sh.in: pass remaining arguments to ./configure Currently, mkdeb.sh (which is used to make a .deb package) runs ./configure with hardcoded options (some of which are automatically detected based on configure-time variables). To work around the hardcoding, contrib/fj-mkdeb.py is used to add additional options by rewriting the actual call to ./configure on mkdeb.sh. For example, the following invocation adds --disable-firetunnel to mkdeb.sh: $ ./configure && ./contrib/fj-mkdeb.py --disable-firetunnel To avoid depending on another script and to avoid re-generating mkdeb.sh, just let the latter pass the remaining arguments (the first one is an optional package filename suffix) to ./configure directly. Example: $ make distclean && ./configure && make dist && ./mkdeb.sh "" --disable-firetunnel Additionally, change contrib/fj-mkdeb.py to do roughly the same as the above example, by simply forwarding the arguments that it receives to ./mkdeb.sh (which then forwards them to ./configure). Also, remove the --only-fix-mkdeb option, since the script does not change mkdeb.sh anymore. With these changes, the script's usage (other than when using --only-fix-mkdeb) should remain the same. Note: To clean the generated files and then make a .deb package using the default configuration, the invocation is still the same: $ make distclean && ./configure && make deb Note2: Running ./configure in the above examples is only needed for generating Makefile/mkdeb.sh from Makefile.in/mkdeb.sh.in after running distclean, so that running `make` / `./mkdeb.sh` afterwards works. Should fully fix #772. Relates to #1205 #3414 #5148. --- .gitlab-ci.yml | 2 +- Makefile.in | 2 +- contrib/fj-mkdeb.py | 40 ++++++++++++++-------------------------- mkdeb.sh.in | 12 ++---------- 4 files changed, 18 insertions(+), 38 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 4871ef031..af590e2e1 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -54,7 +54,7 @@ build_apparmor: script: - apt-get update -qq - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config gawk - - ./configure --prefix=/usr --enable-apparmor && make deb-apparmor && dpkg -i firejail*.deb + - ./configure && make deb-apparmor && dpkg -i firejail*.deb - command -V firejail && firejail --version - firejail --version | grep -F 'AppArmor support is enabled' diff --git a/Makefile.in b/Makefile.in index 0e80fb43a..7d961213a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -222,7 +222,7 @@ deb: dist ./mkdeb.sh deb-apparmor: dist - ./mkdeb.sh -apparmor + ./mkdeb.sh -apparmor --enable-apparmor test-compile: dist cd test/compile; ./compile.sh $(NAME)-$(VERSION) diff --git a/contrib/fj-mkdeb.py b/contrib/fj-mkdeb.py index 75fb6cbc8..f6611bee8 100755 --- a/contrib/fj-mkdeb.py +++ b/contrib/fj-mkdeb.py @@ -3,9 +3,10 @@ # Copyright (C) 2014-2022 Firejail Authors # License GPL v2 -# This script automates the workaround for https://github.com/netblue30/firejail/issues/772 +# This script automates the creation of a .deb package. It was originally +# created to work around https://github.com/netblue30/firejail/issues/772 -import os, shlex, subprocess, sys +import os, subprocess, sys def run(srcdir, args): @@ -15,41 +16,29 @@ def run(srcdir, args): print('Error: Not a firejail source tree? Exiting.') return 1 - dry_run = False - escaped_args = [] - # We need to modify the list as we go. So be sure to copy the list to be iterated! + # Ignore unsupported arguments. for a in args[:]: if a.startswith('--prefix'): # prefix should ALWAYS be /usr here. Discard user-set values args.remove(a) - elif a == '--only-fix-mkdeb': - # for us, not configure - dry_run = True - args.remove(a) - else: - escaped_args.append(shlex.quote(a)) # Remove generated files. - if not dry_run: - distclean = subprocess.call(['make', 'distclean']) - if distclean != 0: - return distclean + distclean = subprocess.call(['make', 'distclean']) + if distclean != 0: + return distclean # Run configure to generate mkdeb.sh. first_config = subprocess.call(['./configure', '--prefix=/usr'] + args) if first_config != 0: return first_config - # Fix up dynamically-generated mkdeb.sh to include custom configure options. - with open('mkdeb.sh', 'rb') as f: - sh = str(f.read(), 'utf_8') - with open('mkdeb.sh', 'wb') as f: - f.write(bytes(sh.replace('./configure $CONFIG_ARGS', - './configure $CONFIG_ARGS ' + (' '.join(escaped_args))), 'utf_8')) - - if dry_run: return 0 + # Create the dist file used by mkdeb.sh. + make_dist = subprocess.call(['make', 'dist']) + if make_dist != 0: + return make_dist - return subprocess.call(['make', 'deb']) + # Run mkdeb.sh with the custom configure options. + return subprocess.call(['./mkdeb.sh'] + args) if __name__ == '__main__': @@ -57,13 +46,12 @@ if __name__ == '__main__': print('''Build a .deb of firejail with custom configure options usage: -{script} [--fj-src=SRCDIR] [--only-fix-mkdeb] [CONFIGURE_OPTIONS [...]] +{script} [--fj-src=SRCDIR] [CONFIGURE_OPTIONS [...]] --fj-src=SRCDIR: manually specify the location of firejail source tree as SRCDIR. If not specified, looks in the parent directory of the directory where this script is located, and then the current working directory, in that order. - --only-fix-mkdeb: don't run configure or make after modifying mkdeb.sh CONFIGURE_OPTIONS: arguments for configure '''.format(script=sys.argv[0])) sys.exit(0) diff --git a/mkdeb.sh.in b/mkdeb.sh.in index a18ff8021..79f8d748c 100755 --- a/mkdeb.sh.in +++ b/mkdeb.sh.in @@ -9,17 +9,9 @@ set -e NAME=@PACKAGE_NAME@ VERSION=@PACKAGE_VERSION@ -HAVE_APPARMOR=@HAVE_APPARMOR@ -HAVE_SELINUX=@HAVE_SELINUX@ EXTRA_VERSION=$1 -CONFIG_ARGS="--prefix=/usr" -if [ -n "$HAVE_APPARMOR" ]; then - CONFIG_ARGS="$CONFIG_ARGS --enable-apparmor" -fi -if [ -n "$HAVE_SELINUX" ]; then - CONFIG_ARGS="$CONFIG_ARGS --enable-selinux" -fi +test "$#" -gt 0 && shift CODE_ARCHIVE="$NAME-$VERSION.tar.xz" CODE_DIR="$NAME-$VERSION" @@ -36,7 +28,7 @@ echo "*****************************************" tar -xJvf "$CODE_ARCHIVE" #mkdir -p "$INSTALL_DIR" cd "$CODE_DIR" -./configure $CONFIG_ARGS +./configure --prefix=/usr "$@" make -j2 mkdir debian DESTDIR=debian make install-strip -- cgit v1.2.3-70-g09d2